FYI

Sent by Cathy Petersen on behalf of David Conrad:

30 April 2018

RE: Discouraging the use of emoji in domain names by ccTLDs for end user security

Ms. Katrina Sataki

Chair, Country Code Names Supporting Organization

Dear Ms. Sataki,

Lately, there has been increasing interest in the use of emoji in domain names, with some country code Top Level Domain operators (ccTLDs) allowing domain names with emoji to be newly registered at the second level. 

The ICANN Security and Stability Advisory Committee (SSAC) studied the use of emoji in the domain name system and issued an advisory (SAC095) highlighting various associated risks.  SSAC has identified at least three significant factors that may cause confusion in the use of emoji, making them a security risk and thus, unsuitable for use in domain names:

1.     Many emoji are visually similar and can be difficult to distinguish, especially when displayed in smaller fonts or by different applications, as no standard specifies exactly how they should be displayed

2.      

3.     Some emoji can be “glued” together using a special joining character allowing them to be displayed as a single symbol by some systems.  This creates the following two ways in which confusion can occur

a.        To a user, a single unmodified emoji might look exactly the same as its “glued together” counterpart; and

b.        For the systems that do not support emoji composition with the joiner character, they would display the individual components of a “glued together” emoji as a sequence of separate emoji, which may visually be very different from what was intended

4.     The ability to apply different colors to some emoji by appending one of five skin tone modifiers for an anthropomorphic emoji is highly sensitive to user interpretation

Such confusability creates significant issues and concerns in the use of domain name system.  As has been noted in an earlier SSAC report (SAC060), confusion in domain names can lead to denial of service or, worse, misconnection.  Such confusion exposes domain names for phishing and other social engineering attacks, leading to security problems for end users (SAC089). 

Noting these risks, the ICANN Board has resolved that “that the Country Code Names Supporting Organization (ccNSO) ... inform their respective communities about these risks.” 

We would respectfully request the Country Code Names Supporting Organization help by publicly reaching out to all ccTLDs, and specifically to the ccTLDs offering emoji domains,

to inform them about the end-user and systemic security risks in offering the emoji in domain names, and to discourage them from this practice to improve domain name system security for all users.

We thank the ccNSO in advance for considering this matter and look forward to a favourable reply.  The ICANN organization stands ready to provide any support as necessary for this purpose. 

Sincerely,

David Conrad

ICANN Chief Technology Officer